Unable to add Compliance Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1232549%22%20slang%3D%22en-US%22%3EUnable%20to%20add%20Compliance%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232549%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20enable%20my%20Global%20Admin%20role%20in%20PIM%2C%20when%20I%20try%20to%20add%20the%26nbsp%3B%20Audit%20CIS%20Microsoft%20Azure%20Foundations%20Benchmark%201.1.0%20standard%2C%20I%20get%20an%20error%26nbsp%3B%3CA%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%3EYou%20cannot%20perform%20this%20action%20without%20the%20following%20permissions%20over%20selected%20scope%20(Microsoft.Authorization%2FPolicyAssignments%2Fwrite)%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3BWhen%20I%20search%20for%20this%20permission%2C%20I%20can't%20find%20anything%20about%20a%20Write%20method%20for%20the%20PolicyAssignments.%20Any%20idea%20what%20would%20be%20causing%20this%20or%20how%20I%20investigate%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1232549%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1233442%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20Compliance%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233442%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%20-%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20onboard%20the%20initiative%20to%20ASC%2C%20you%20need%20to%20have%20contributor%20or%20owner%20role%20on%20the%20scope%20you%20are%20assigning.%20There%20may%20also%20be%20a%20specific%20policy%20contributor%20role.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20global%20admin%20is%20an%20AAD%20role%20on%20the%20tenant%20level%20and%20doesn%E2%80%99t%20by%20default%20provide%20full%20RBAC%20permissions%20on%20Azure%20resources.%20You%20can%20potentially%20elevate%20and%20assign%20those%20to%20yourself.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHTH%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1233703%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20Compliance%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233703%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33182%22%20target%3D%22_blank%22%3E%40Ronit%20Reger%3C%2FA%3E%26nbsp%3BThanks%2C%20I%20do%20have%20Contributor%20role%20for%20the%20subscription.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1236038%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20Compliance%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1236038%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%20%2C%3C%2FP%3E%0A%3CP%3EAfter%20speaking%20to%20our%20Azure%20Policy%20expert%2C%20she%20says%20that%20actually%20Contributor%20access%20isn%E2%80%99t%20sufficient.%20You%E2%80%99d%20need%20owner%20or%20policy%20contributor%20role%20to%20assign%20to%20that%20scope.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20that%20resolve%3F%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%0A%3CP%3E--Ronit.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2518182%22%20slang%3D%22en-US%22%3ERe%3A%20Unable%20to%20add%20Compliance%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2518182%22%20slang%3D%22en-US%22%3EI%20m%20facing%20the%20same%20issue%20with%20making%20a%20custom%20policy%20on%20NSG%20with%20a%20tag%20using%20two%20built-in%20policies.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F68213246%2Fall-network-port-restricted-on-network-security-group-which-have-dev-tag%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F68213246%2Fall-network-port-restricted-on-network-security-group-which-have-dev-tag%3C%2FA%3E%3C%2FLINGO-BODY%3E
Respected Contributor

I have enable my Global Admin role in PIM, when I try to add the  Audit CIS Microsoft Azure Foundations Benchmark 1.1.0 standard, I get an error You cannot perform this action without the following permissions over selected scope (Microsoft.Auth... When I search for this permission, I can't find anything about a Write method for the PolicyAssignments. Any idea what would be causing this or how I investigate?

4 Replies

@Dean Gross

To onboard the initiative to ASC, you need to have contributor or owner role on the scope you are assigning. There may also be a specific policy contributor role.

 

However, global admin is an AAD role on the tenant level and doesn’t by default provide full RBAC permissions on Azure resources. You can potentially elevate and assign those to yourself.

 

HTH

@Ronit Reger Thanks, I do have Contributor role for the subscription. 

Hi @Dean Gross ,

After speaking to our Azure Policy expert, she says that actually Contributor access isn’t sufficient. You’d need owner or policy contributor role to assign to that scope.

 

Does that resolve?

Thanks

--Ronit.

I m facing the same issue with making a custom policy on NSG with a tag using two built-in policies.
https://stackoverflow.com/questions/68213246/all-network-port-restricted-on-network-security-group-w...